In a normal year, springtime has insurers (property and casualtyin particular) preparing for the hurricanes, wildfires, floodingand other environmental catastrophes that typically accompany Aprilshowers.
|But this year, spring introduces an entirely differentchallenge, one that has nothing to do with physical environmentsand everything to do with data: How should insurers collect, useand protect it?
|The Global Data Protection Regulation (GDPR)will go into effect on May 25, 2018. GDPR is a set of rulesdesigned to provide clarity, transparency and protection for thepersonal information of all European Union (EU) residents. Itapplies to any company worldwide that stores personal informationof EU residents, prohibits unauthorized access to that data, andensures consumers understand and control their personal informationis treated.
|Related: Insurers with EU clients face workflow challengesunder GDPR
|Failure to comply can result in stiff penalties.
|Business and technology
The sections of GDRP that focus on how companies' IT and data security practices operate arerobust.
|The timeframes allowed for reporting security breaches arealmost immediate.
|Systems must be designed to ensure that personal informationmanagement is high quality, accurate, consistent across databases,secure, private, and includes clear data lineage.
|Direct accountability for oversight of all GDPR mandates mustexist within the company, dictating the appointment of a qualifiedData Protection Officer in some instances.
|Business aspects of GDPR reach across the company and aim toprovide customers with much more control over their personal data.Obtaining clear and unambiguous consent from customers for communications and solicitationsis required.
|Companies also must let consumers see, receive and correct (ifnecessary) all personal information stored in company databases.Customers must have the power to “be forgotten,” meaning they canask for their personal information to be removed from companydatabases.
|Related: Is cyber insurance prepared forGDPR?
|Personal data cannot be retained past a “reasonable use”timeframe. And customers have the right to understand and agree tohow their personal data is being collected and used.
|The insurer's challenge
The IT and data security requirements of GDPR could placesignificant burden on insurers, particularly those with antiquated legacy applications, siloed businessunits and databases, and less than mature data management andgovernance practices.
|However, impacts on business units are arguably even moresignificant.
|Insurance is a data-intensive and analytical business. Insurerscollect and maintain significant amounts of personal data, using itfor everything from detecting risk and pricing policies toidentifying fraud and facilitating claims processes.
|Related: GDPR noncompliance poses a real insurancerisk
|The following business units could see substantial impacts asGDPR enforcement gets underway:
|Marketing
Marketers face growing pressures to improve customer experience, personalizemessaging and react to customers in real time.
|Data and analytics are critical tools marketers use toaccomplish this, but GDPR may get in the way.
|GDPR mandates that companies obtain “freely given, specific,informed, unambiguous consent” for solicitations andcommunications.
|This means marketing can no longer rely on soft opt-inprocesses, lack of opt-out, or a simple blanket opt-in checkbox forcommunication and analysis activities.
|At best, communications, campaigns, and web and mobileapplications must request and store consent on an individualized,action-oriented basis. These consent forms must be captured, storedand auditable, so companies can prove when consent was given andfor what.
|At worst, companies may need to review all customer databases tounderstand whether obtained consents meet GDPR requirements.
|Pricing and underwriting
Rich data, including IoT data from telematicsdevices, enables pricing and underwriting functions to identifygranular risk pools and price policies on a highly customizedbasis. Credit history, health information and location data play anincreasing role in underwriting decisions.
|Collecting this type of personal data raises some thorny GDPRquestions. Have individuals consented to the collection of thisdata? Do they know when it is being collected? Do they understandhow it is being used? Can the company explain how decisionspertaining to price or coverage have been made?
|Further complicating things, many of these decisions are automated — i.e.,AI or machine learning algorithms (where decision parameters areless transparent) facilitate decision-making based on personaldata.
|This analytical activity will most likely fall under profiling,defined under GDPR as, “Any form of automated processing ofpersonal data consisting of using those data to evaluate certainpersonal aspects relating to a natural person, in particular toanalyze or predict aspects concerning that natural person'sperformance at work, economic situation, health, personalpreferences, interests, reliability, behavior, location ormovements.”
|This expands the customer rights insurers will have tosatisfy.
|Underwriters (or issuing agents) will have to prove this type ofanalysis meets certain criteria. Is the resulting decision in thecustomer's best interest? Can the customer get a clear explanationof these decisions? Is the company taking measures to preventdiscrimination on the basis of ethnicity, political opinions,religion, etc.?
|Customers will have the right to object to automated decisions,asking instead for human intervention.
|Related: Using AI and automation to transform claimshandling
|At minimum, insurers will have to facilitate non-automatedpricing decisions and make factors influencing algorithmicdecisions clear.
|Fraud and claims
Data is the cornerstone of fraud detection.
|Not only do insurers rely on their own first-party data forfraud prevention, they also share information across agencies suchas the Insurance Fraud Bureaus (IFBs) and Comprehensive Loss andUnderwriting Exchange (C.L. U.E.). These agencies collect and storecustomers' personally identifiable information, including criminalhistories, claims history, etc.
|In most cases, insurers themselves contribute customerinformation to the agencies in addition to receiving it. While theindustry awaits clarification regarding acceptable uses, it's clearthat insurers will have to explain what information they'resharing, how they're using agency information, and possibly defendthe necessity to do so.
|The right of a customer to be forgotten, e.g., demand erasure oftheir personal data, also raises questions. Removing claims lossdata or fraud reports will make it difficult to detect and stopfraudulent activities (particularly for repeat offenders), and theindustry is working with regulators on this issue.
|Claims processing also will be impacted, asinsurers routinely work with third parties (suppliers, mechanics,repair services, etc.) to complete claims.
|At minimum, insurers will be on the hook to ensure that, whenthey pass customer information to suppliers, those companies alsoapply the mandated GDPR protections. If a customer asks to beforgotten, the insurer will have to ensure the information iserased not only from its own databases but also from third-partydatabases, which will not be an easy task.
|Regardless of the sentiment this legislation generates, onething is clear: GDPR will have a profound impact on the insuranceindustry and finance businesses worldwide.
|This impact will force insurers to re-evaluate both analysis anddata collection practices, and customer communications. Complyingwith GDRP also may spur insurers to forge close partnershipsbetween their business units, IT, and security or privacydepartments.
|Lisa Loftis is a thought leader on the SAS Best Practicesteam, where she focuses on customer intelligence,customer experience management, and digital marketing. She isco-author of the book, Buildingthe Customer Centric Enterprise. She can be reachedat [email protected].
|https://twitter.com/lisamloftis | https://www.linkedin.com/in/lisaloftiscrmcem
|See also:
|Cyber risk management a top priority as companiesprepare for GDPR
|Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
